Security Hub vs Security Hub CSPM
AWS Security Hub: What Changed and What You Should Do
OpenSecOps Newsletter - February 2026
If you've logged into the AWS console recently, you may have noticed something odd: there's now both "Security Hub" and "Security Hub CSPM" in the menu. What's going on?
AWS has restructured Security Hub in a way that we find unnecessarily confusing. This article explains what changed, why it matters, and what OpenSecOps customers should do about it.
The short version: Keep using Security Hub CSPM. Don't enable the "new" Security Hub. Your autoremediation continues working exactly as before.
The Great Renaming
In June 2025, AWS made the following changes:
| Before | After | What It Is |
|---|---|---|
| Security Hub | Security Hub CSPM | The original service you've been using |
| (didn't exist) | Security Hub | A completely new service |
You read that correctly. AWS took the name "Security Hub" away from the existing service and gave it to a brand new, completely different service. The original Security Hub was renamed to "Security Hub CSPM" (Cloud Security Posture Management).
We'll say it plainly: this naming decision creates unnecessary confusion. Customers searching for documentation, following tutorials, or talking to AWS support now have to constantly clarify which Security Hub they mean.
Why Two Services?
The difference is technical but important.
| Service | Data Format | Description |
|---|---|---|
| Security Hub CSPM | ASFF | AWS Security Finding Format |
| Security Hub (new) | OCSF | Open Cybersecurity Schema Framework |
ASFF is the format AWS created years ago for security findings. It works, it's mature, and it's what all existing automation is built on.
OCSF is a newer industry standard backed by AWS and over 100 security vendors. It promises better interoperability across cloud platforms and security tools.
The catch: these formats are not compatible. Automation built for ASFF does not work with OCSF.
What This Means for You
OpenSecOps SOAR processes security findings in ASFF format from Security Hub CSPM:
Security Hub CSPM (ASFF) → EventBridge → SOAR → Autoremediation
This is how your failed controls get automatically fixed. This is how incidents get created and escalated. This is how your weekly AI security report gets generated.
If you enable the new Security Hub, it generates findings in OCSF format. Your SOAR won't process them - it's expecting ASFF. You'll end up with:
- Duplicate findings in two different formats
- Confusion about which findings are being handled
- Additional cost for no additional benefit
Our Recommendation
Don't enable the new Security Hub.
Your current setup provides everything you need:
- Continuous compliance monitoring (CIS, PCI DSS, NIST, and more)
- Automated remediation of security misconfigurations
- Incident management and escalation
- Weekly AI-generated security reports
The new Security Hub adds AI-powered risk prioritization and enhanced analytics. But you already have intelligent prioritization through SOAR's processing pipeline. The practical benefit is minimal for customers with mature automation.
Common Questions
"Should I worry that we're using the 'old' service?"
No. Security Hub CSPM is fully supported and receiving updates. AWS has announced no deprecation timeline.
"Will AWS eventually discontinue CSPM?"
Unknown. If they do, there will be a migration path and we'll guide you through it.
"What if I already enabled the new Security Hub?"
You can disable it or simply ignore its findings. Your SOAR continues processing CSPM findings regardless.
"Is AWS pushing customers toward the new service?"
The console does prompt you to enable it. You can decline. If AWS representatives ask why, explain that you have ASFF-based automation that would break.
The Future: OCSF Support
We recognize that OCSF is becoming the industry standard. While ASFF has served AWS customers well, OCSF offers broader interoperability - and AWS clearly sees it as the future.
We are evaluating OCSF support for a future release of OpenSecOps SOAR.
When we implement it:
- OCSF processing will run alongside ASFF - your existing automation stays unchanged
- We'll provide a migration path to gradually transition rules
- All autoremediation capabilities will work with both formats
- We won't release until it meets our quality standards
We'll announce OCSF support when it's ready. Until then, Security Hub CSPM remains the correct choice.
What To Do Now
| Your Situation | Action |
|---|---|
| Haven't enabled the new Security Hub | Do nothing. Continue using CSPM. |
| Already enabled the new Security Hub | Consider disabling it, or just ignore its findings. |
| AWS prompts you to enable it | Decline. |
| Want to discuss OCSF migration planning | Contact us. |
Summary
AWS renamed Security Hub to Security Hub CSPM and launched a new, incompatible service called Security Hub. The naming is confusing, but the action is simple: stick with what you have.
Your OpenSecOps automation runs on ASFF. The new Security Hub speaks OCSF. They don't talk to each other. When OCSF support matters, we'll build it. Until then, your security posture is exactly where it should be.
Peter Bengtson OpenSecOps
